Supporting Frame on a Nutanix AHV Cluster: Time Configuration.

It’s Frame time! (cue Time) This blog addresses the importance of time setup for an AHV-based Nutanix cluster supporting an on-prem Frame deployment. Anyone who has experience with or presently supports Nutanix clusters knows the importance of an accurate NTP time setup and recommended time configurations. If you are new to Nutanix cluster configurations in relation to time setup, please see the links at the end of this blog for more reference.

Time is a crucial factor when deploying Frame workloads on a Nutanix cluster. If not configured properly within the cluster and infrastructure components, it can prevent the Frame control plane from properly connecting to an on-prem cluster (due to Frame’s cloud-based services and the on-prem setup mechanisms).  For example, the one-click setup wizard in Prism Central and the Cloud Service account orchestration in the cloud will fail if time is not properly configured.

A key aspect to remember is that you have time configurations in several areas, including:

• The underlying infrastructure of a Nutanix cluster, the Controller Virtual Machines (CVMs) with a Prism Element (PE) console, the AHV hosts/nodes, and Prism Central (PC). 
• The underlying infrastructure of Frame, such as the Cloud Connector Appliance (CCA), Workload Proxy Cloud Connector Appliance (WCCA), the Secure Gateway Appliance (SGA) Virtual Machines. (VMs) and the Frame workload VMs that users access (Linux or Windows-based OS VMs). 
• The Nutanix Control Plane for  Frame at https://console.nutanix.com (hosted in a public cloud). 

This blog details how to set, check, and verify the underlying hosting infrastructure in a cluster. Items to note include:

• The Frame infrastructure VMs, which get their time from the AHV hosts they reside on.
• The Frame workload VMs that users access, which get their time from the AHV hosts they reside on initially (the VMs will set time according to how they are configured within the OS date/time setup). 
• The Frame control plane and its time configuration (managed by Nutanix) and the chosen cloud provider (currently AWS; Azure is forthcoming).

The top considerations for time setup in supporting  Frame workloads on a Nutanix cluster are:

• Time synchronization across control plane components.
• The time zone setting across all underlying infrastructure items.

Time Synchronization

For time synchronization, it is important to stay within a five-minute window of variance for effective communication among the control plane components. The  Frame Platform generates security tokens when the user authenticates to  Frame that have "not valid before" and "not valid after" timestamps. The  Frame infrastructure components use these tokens to determine whether the tokens are valid or not. If the timebase on the on-prem  Frame components is off from the internet timebase, then users cannot start sessions. The SGA and the workload VMs will deny users access if the security tokens are not valid (time-wise). Synchronized time allows for the control plane to communicate with the on-prem components securely and for things like SSL certificate validation and service checks. This enables proper orchestration among the users’ endpoints, the Nutanix control plane, and the  Frame on-prem infrastructure (CCA, WCCA, and SGA).

This requirement is similar to how Microsoft Windows uses a time sync for Kerberos use in Active Directory, with an identical five-minute requirement. If the Windows OS timebase is out of sync with the Kerberos server timebase, then users cannot authenticate to their Windows login. 

The Time Zone

 Frame deployments use UTC for time zones. This is critical for two main reasons.

1. The Nutanix control plane for  Frame and the on-prem AHV Infrastructure components (CCA, WCCA, SGA VMs) operate in UTC. The infrastructure VMs deployed on-premises use UTC by default, so that they are in the same time zone as the Nutanix control plane for  Frame.
2. Having all of the infrastructure components in the same time zone allows for a more consistent logging experience, simplifying resource tracking, session analysis, and troubleshooting.

Verifying Time Zone and Time

• For the CVMs (AOS), log in to one of the CVMs and run
  • allssh ssh root@192.168.5.1 date
• For Prism Central, log in to PC and run
  • date
• For AHV hosts, log in to one of the CVMs and run
  • hostssh ssh root@192.168.5.1 date

Configuring Time Zone

• For AOS: 
  • allssh ncli cluster set-timezone timezone=UTC (example syntax for UTC)
• For Prism Central: 
  • allssh ncli cluster set-timezone timezone=UTC
• For AHV: 
  • hostssh "date; mv /etc/localtime /etc/localtime.bak; ln -s /usr/share/zoneinfo/UTC /etc/localtime; date" (example syntax for UTC)

Configuring Time

Make sure the time is within five minutes on all components. If not then resync as follows:

• To resync the time on the CVMs and AHV hosts 
  • allssh ssh root@192.168.5.1 ntpq -p
• Stop the ntpd daemon
  • Allssh ssh root@a92.168.5.1 service ntpd stop
• To update the time from the time servers
  • allssh ssh root@192.168.5.1 ntpdate -u us.pool.ntp.org
• Start the ntpd daemon again
  • allssh ssh root@192.168.5.1 service ntpd start

After performing the tasks noted above where applicable, and verifying that time is set up properly, you can now deploy  Frame on a Nutanix AHV cluster with confidence that time configurations will not be a source of impediment to a successful deployment. 

To deploy a  Frame environment on a Nutanix-hosted cluster, follow these steps as documented in the reference link below on Frame on Nutanix AHV.

Reference links:

• Time Synchronization on Nutanix Cluster
• Web-Console-Guide-Prism- ntp server time sync recommendations
• AHV User VM reverts to UTC timezone after it is power cycled
• Frame on Nutanix AHV

Dan Simmons Linkedin

Dan Simmons is a Senior Solutions Architect with Nutanix Frame who has worked in the public and private sector with an extensive background in VDI. A former Citrix employee in technical support, consulting and system engineering roles. He started at Nutanix as a federal team resident consultant, supporting Citrix VDI workloads, later transitioning to the Xi Frame Solution Architect team. Dan is also an 82nd airborne infantry paratrooper and combat veteran. Happy father and husband, WWII history buff, amateur no limit texas hold em poker player, and comic book geek when time permits.

_{© 2021 Nutanix, Inc.  All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.}